The address looks kind of legitimate, but there's no Duck Creek Road in Oakland and the phone number is most likely Los Altos, not Oakland. Also the fact that it has been registered just days ago is a clue.. and it turns out that the registrar is BIZCN.COM of China which is an odd choice for a California company.. in other words, the domain registration details are fake.

AdSlash.com is hosted on 217.23.7.6 which is reportedly a Worldstream Data Center in Faro, Portugal. There's a cluster of servers with fake registration details which are probably related:

217.23.7.6
Adslash.com
Dc2way.com
Ispmns.com
Rtcohost.com
Vpsroll.com

217.23.7.7
Net-wisp.com
Realhgost.com
Slhoste.com

217.23.7.8
Inhostin.com
Nx7tech.com
Vpbyte.com

217.23.7.9
Eywtech.com
Qhostin.com
Sslcode.com

Blocking the entire 217.23.7.x range will probably do no harm at all, it is full of typosquatting domains and other crap.

The PDF exploit itself is hosted in Russia on 213.108.56.18 at Infoteh Ltd (UNNET-LINER), there are a bunch of domains serving these exploits up:

Oh, well that's kind interesting.. they appear to be based in the UK. A quick check at Companies House does come up with a Realcom Ltd.. but it's a wholly innocent and unconnected company in Oxfordshire.

There's not much of a web presence about from this Dutch-language review [autotranslated] which also complains that the site is a fake and that unauthorised credit card transactions have been made.

We have seen quite a lot of the domain registrant trafficbuyer@gmail.com lately [1][2][3] and it would be fair to say that this email address has been connected with malware domains for a few months [4][5].

Domains operated by trafficbuyer@gmail.com appear to be part of the routing mechanism to bad sites, but there's no indication of who the email address actually belongs to. Is it an ad network, or is it the bad guys themselves.. and if it's an ad network, why are they hiding their name?

This post at Spyware Sucks gave a clue. There are several domains which are interesting because they have changed hands during their lifetime from a firm called Modena Inc (modenainc.com) owned by one Bryan Hunter of Oregon and are now in the hands of "trafficbuyer".

So, who are Modena Inc of Oregon? According to the State of Oregon, the two key people here are Bryan Hunter and Andrew Vilcauskas, although Mr Hunter's name is most often associated with Modena, Inc. The official status for Modena, Inc shows "Administrative Dissolution" which means that the state dissolved the company for non-filing of paperwork.. this seems to be a common issue. If we look at businesses related to Bryan Hunter then we see:

Now, given the WHOIS history of these domains we would suggest that either Bryan Hunter is trafficbuyer@gmail.com or he sold the domains on to this person. If they are the same person, then perhaps he would like to review his business relationships and clean them up...

Friday, 15 January 2010

ebuddy.com is running a malicious ad on the zoombanner.com domain, apparently managed by Yieldmanager.

First, the "legitimate" end of the malware chain loads at ad.zoombanner.com/content?campaign=1171557&sz=6This forwards to deliver.commismanderakis.com/rotate?m=2;b=6;c=1;z=585778
Which goes to content.fishpotboutademalled.com/track/3388182/S_IT?[snip]
Then img.commismanderakis.com/img?XAhIPWtICDkJX0FVHXUDKFoRYhYlRxFCNlsBGEhLBEtVdRdiCRYKBA8kKV9RHBEaXFJfXFMHAQ
Followed by the payload domain at jduvazuc.info/cgi-bin/dep
then jduvazuc.info/cgi-bin/dep/j006102Hd793447cR55e239b8T9cc338b5V0100f060203L69740000000000000000
then jduvazuc.info/cgi-bin/dep/o006102203317l0010Hd793447cR55e239b8T9cc338b6V0100f060
Finally jduvazuc.info/cgi-bin/dep/e006102203318l0010Hd793447cJ0d000601R55e239b8T9cc338a4U0ec2fc77V0100f0600

This last hop tries to load an executable (and probably some other crap I haven't spotted), not very well detected according to VirusTotal. Oh yes, there's a PDF exploit too.

The malicious ad is an Italian language vacation banner in this case.

Most of the domains have anonymous registration details, except zoombanner.com which has the same details that were used in the malicous ads featured here and here.

Croft Pole Distributors Ltd (www.croftpoles.co.nz) are a wholly legitimate business based in Whangarei, New Zealand. This is a fake offer that falsely used Croft Pole's name in order to recruit into a money mule scam.

Croft Timber Company Limited is a family owned business that began in 1905 and is still in Croft family hands today.

CTC moved more towards the specialised production of timber poles approximately 20 years ago and now trades locally as Croft Pole Distributors Limited with pole supply outlets in both Northland, Rodney and Auckland.

Within the last ten years CTC has grown considerably with investments in a new and larger site, plant modernisation/expansion and the introduction of equipment such as the Bezner Rounding Machine, Fogarty Kiln, Automatic Stacker, Machine stress grader and edge tester, planer and dry-mill department as well as the constant replacement and upgrading of existing plant and machinery.

The mill site is on about thirty acres of land with rail facilities adjacent and is approximately 25 minutes from the deep water port of Marsden Point. The plant ispresently capable of processing around 2,500-3,000 m3 per month.

We are committed to customer service and our aim is to remain flexible to meet the ever changing market needs with product and service unparalleled in the timber pole industry to date..

Most of our customers from Australia, Canada,United States & United Kingdom pay through various terms of payment which some are not negotiable here in New Zealand. This brings our quest to employ a credible and trustworthy fellow as our representative to coordinate our payments. This would not affect your present job but add more to your income.

Being our representative and assisting us in processing the payments from our clients should earn you a commission of 10% of every payment you coordinate.

Once we makes a sale we deliver the product to a customer (usually through UPS).The customer receives and check the products. After this has been done, the customer has to pay for the products. About 90 percent of our customers prefer to pay through Bank Wire Transfers or certified cheque. We have decided to open this new job position for solving this problem.

Your tasks are;

1. Receive payment from Customers through your Bank Accounts

2. Deduct 10% which will be your percentage/pay on Payments processed

3. Forward balance after deduction of percentage/pay to any of the offices you will be contacted to send payment to. (Payment is to forwarded by Local transfers (Western Union only). A local Money transfer takes barely hours, so it will give us a possibility to get customers payment almost immediately.

For example you have got �50,000.00

You take your income: �5,000.00

You will be able to operate with larger orders and you will be able to earn more.

Our payments will be sent into your Bank account that you provided, deduct your 10%(Salary) and forward the balance to the company via Western Union only.

We understand it is an unusual and incredible job position. This job takes only 3-7 hours per week.

You Will have a lot of free time doing another job, you will get good income and regular job. But this job is very challenging and you should understand it. We are looking only for the worker who satisfies our requirements and will be an earnest assistant, We are glad to offer this job position to you. If you feel that you are serious about this and be an earnest worker, All we will need for recording you to our database is below:

The reply-to address is croftpole.update@gmail.com rather than croftpoles.co.nz, originating IP is 213.132.197.149 in the Netherlands, which hosts three porn sites but has probably been compromised. It is nothing at all to do with Croft Poles.

Of course, this 10% fee is a "too good to be true" scam which could well wind up with you going to prison, so it should be avoided at all costs.

The cruiser "Aurora" signalled the start of the Russian Revolution in St Petersburg in 1917.. I wonder if this name was chosen deliberately when the attackers targeted some of the West's biggest tech companies?

Thursday, 14 January 2010

The malicious ads were running through (and I understand now terminated by) bootcampmedia.com, related to this post, according to commenter cerdo:

Blogger cerdo said...

bootcampmedia.com was also likely hosting a malicious campaign yesterday afternoon, and perhaps still ongoing. I'd contact you Jamie, but I don't have contact info for you. This all is clearly closely related to Dynamoo's post...

traffic.worldseescolor.com is an obvious bad actor. The other related domains:
deliver.bailagequinismregrow.com
img.bailagequinismregrow.com
content.cabullacoexertstephen.com

We are informing you that because of the security upgrade of the mailing service your mailbox (username@blahblah.blah) settings were changed. In order to apply the new set of settings click on the following link:

Clicking through the link takes you to a convincing looking OWA (Outlook Web Access) forgery page, populated with the victim's domain name and email address.

There are two exploits on the page, the first one is a drive-by download of an infected PDF file called pdf.pdf for which VirusTotal detection is only 10/41, detected by McAfee as Exploit-PDF.ac and various others. The executable file you are directed to download is also a bit patchy on detections.

In this case the endpoint of the infection has switched to bonnapet.com hosted on 217.20.114.40 which is hosted by netdirekt e.K. / internetserviceteam.com, hardly surprising as they are one of the more common havens for crimeware. The internetserviceteam.com name appears to be a sub-brand used for black hat hosting .. perhaps it is time for a visit from the Bundespolizei?

Tuesday, 12 January 2010

A malicious ad running on BoingBoing.net is delivering visitors to a PDF exploit.

Given the complicated state of advertising arbitrage, it is unlikely that BoingBoing.net have much control over it. The ad appears to be loading in from ad.yieldmanager.com (which is Yahoo!) and/or ad.z5x.net (DSNR Media Group) both of which are hosted on the same multihomed IP addresses.

The ad itself (pictured) appears to be some sort of get-rich-quick scheme or other.

This ad then directs through ads.bootcampmedia.com/servlet/ajrotator/790744/0/vh?z=BootCamp&dim=335848 to traffic.firedogred.com/content?campaign=1219131&sz=2 (this combination of bootcampmedia.com and firedogred.com has been noted before)

The ad then hops to deliver.amerchibchapowered.com/rotate?m=5;b=2;c=1;z=243826 then content.baalcootymalachi.com/track/3388182/S_SE?[snip] loading an image from img.amerchibchapowered.com along the way.

Finally, the visitor is directed to chohivyb.info/cgi-bin/aer/[snip] which contains an exploit detected as Troj/PDFJs-GI by Sophos.

"Boot Camp Media" is run by a guy called Jamie Dalgetty of Guelph, Ontario in Canada. It's unlikely that he's a bad guy, more likely that his ad network is being exploited by a malcious third party.

traffic.firedogred.com is rather more interesting, multihomed on 69.164.215.204, 69.164.215.205, 69.164.215.207, 69.164.215.208 and 69.164.215.210 at Linode, New Jersey. The domain firedogred.com is slightly interesting:

deliver.amerchibchapowered.com is also multihomed at Linode on 74.207.232.250, 74.207.232.25, 74.207.232.30, 74.207.232.31, 74.207.232.35, 74.207.232.39, 74.207.232.202, 74.207.232.203, 74.207.232.205, 74.207.232.206, 74.207.232.248 and 74.207.232.249. The domain was registered on 7th January 2010 and is hidden by DomainsByProxy.

content.baalcootymalachi.com is hosted on 69.164.196.55 at Linode again, again registered on 7th January via DomainsByProxy.

img.amerchibchapowered.com is hosted on a large number of servers at 174.143.243.90, 174.143.243.162, 174.143.243.220, 174.143.245.236, 98.129.236.154, 98.129.236.239, 98.129.236.254, 98.129.237.14, 98.129.238.99, 98.129.238.101, 98.129.238.102, 98.129.238.103, 98.129.238.105, 98.129.238.106, 98.129.238.112, 174.143.241.174, 174.143.242.58, 174.143.242.109 - these are all hosted at Slicehost.com which is a customer of Rackspace.

Finally, chohivyb.info is hosted on 216.150.79.74 which is some outfit called ezzi.net of New York owned by another outfit called AccessIT. No prizes for guessing that chohivyb.info has been registered only very recently with anonymous details.

In each case, the header contain a fake "from" address, the Yahoo! email address changes constantly.. and the mail seems to come from Brazil. This is most likely just a version of the mystery shopper scam, and should be avoided.